07:00 AM

Want Turns to Need

Software security is no longer an emerging discipline, and here's why enterprises should care

Software security (also known as application security to some) is less than a decade old. In 1999 when I began to write "Building Secure Software" with John Viega, there were no books and only a few articles for software developers and architects interested in building in security. Lots of tomes and titles now fill the software security bookshelf.

Not surprisingly, software security is now considered a real subsector of computer security and is even tracked by analysts. The Yankee Group estimates that the entire market is worth between $250-275 million, numbers that jive with my own breakdown of the space.

As software security grows from a nice-to-have into a necessity, many companies are trying to determine how to get started. A quick look over the space can provide some answers.

Bigger Toolbox
Last year, the combined software security tools market earned between $90-$100 million. Most of this revenue was earned by black box testing tools, especially those tools created specifically for testing Web software. Black box testing tool vendors earned between $58-$70 million. The leader in the Web application security testing space is Watchfire, which earned close to $30 million last year. The other strong competitor, SPI Dynamics, earned just over $18 million. Lesser companies in the space including Cenzic, Codenomicon, and the like, earned another $10 million or so between them.

My view of black box testing tools, which I call "badness-ometers," is well known. In brief, badness-ometers are great for helping identify and highlight the software security problem -- just don't treat them as security meters. As such, I'm pleased that the market for these tools is robust, having doubled last year and continuing with similar growth into 2007. The best aspect of these tools is that they help companies and developers understand that their software is broken -- an essential activity in a new market like software security. Once this realization hits home, these companies are well positioned to take advantage of code analysis tools and other software security professional services.

If your company has yet to come to grips with software security, a black box testing tool may be just what the doctor ordered. On good days, these tools can find very serious problems with very little up front investment, and in many organizations, identifying the problem is often half the battle.

As badness-ometers continue to spread, they drive demand for solutions that do more than identify the problem. Source-code analysis tools speak to this demand. Last year, code scanners earned around $20 million (more than doubling the 2005 revenue). This market is dominated by Fortify, which earned 10 times more than its closest remaining competitor, Ounce Labs. (Fortify acquired some of the assets of Secure Software early this year.) Klokworks and Coverity, which sell closely related tools, tend to focus more on software quality than software security, so I don't count their revenue in this analysis.

Code scanning tools are often very reasonable places to start for development groups that want to tackle the software security problem, especially in shops that are code intensive.

Services Uptick
Tools like software security testing tools and source code analysis tools don't run themselves, nor do they provide a silver bullet for the software security problem. All told, the software security services market is worth anywhere from $80-$120 million. SPI-Dynamics and Watchfire's offerings are simple and powerful enough to be wielded by workaday testers and developers, but more complex tools work much more effectively when they are properly integrated into an organization.

Large consultancies such as IBM Global Services, Cybertrust, Symantec, and Ernst & Young focus their software security activities on application penetration testing services. Ultimately, these are badness-ometer services. In many cases, they rely on running and reporting the results of a Web application security testing tool.

Boutique consulting shops such as Foundstone and Cigital focus more attention on getting inside the code. These consultancies wield source code scanners, provide training, and also perform architectural risk analysis.

In 2006, services surrounding more complete software security initiatives at the enterprise level came into vogue. These large scale initiatives include training for thousands of developers, the creation of enterprise-specific knowledge and guidance, and the integration of software security best practices (which I call the touchpoints) into the software development lifecycle.

Overcoming Denial
Software security is quickly becoming a business necessity. As I described in last month's column, SOX and PCI compliance activities serve to help corporations better understand their software risk. (See Compliance As Kick-Starter.) Because the impact of software failure (maliciously caused or otherwise) is great, many corporations are already working diligently on software security.

There are many ways to get started. Those corporations serious about tackling the problem -- that is, those corporations with staggering amounts of software security risk -- take on a multi-year enterprise software security initiatives. Microsoft has made plenty of noise and progress with its Trustworthy Computing initiative. Other ISVs, including Oracle and Cisco, are rushing to catch up even as their customers begin to ask hard questions about product security. The financial vertical leads the pack among non-ISV corporations with large scale initiatives underway. The first step in any large initiative is creating a plan based on best practices. Such plans almost always include a heavy training component.

A large initiative may be too much to bite off at once, especially if your company has yet to come to grips with the business reality of the problem. In these cases, getting started with a simple badness-ometer tool is often helpful. These tools can produce eye-opening results of the "oh darn" variety, which in turn provide excellent ammunition to counter challengers who claim "our software is just fine."

Another alternative is hiring a security team to analyze a critical application. The deeper the analysis, the better the results will be; but even a quick and dirty penetration test can serve to get the ball rolling.

Training also makes a great starting point, especially if it is focused on developers and architects. The trick to successful software security training is to make sure that whoever develops and delivers it is a bona fide software person. Years of security of experience will not help without deep knowledge of C, C++, Java, and software architecture. Developers only listen to their own kind.

No matter what the route, there is no longer any excuse to put off software security. Customers are becoming aware of the problem, regulations demand real solutions, and the reactive network security hacks of the past consistently fail.

Computer security spent many years in a reactive stance, with vendors inventing and peddling band-aid solutions like firewalls, antivirus tools, and intrusion detection engines. Only recently has the stark reality of security begun to sink in. We have no alternative but to build security into the software that we depend on to run the modern world.

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

  • Cenzic
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Codenomicon Ltd.
  • Coverity Inc.
  • Cybertrust
  • Ernst & Young International
  • Fortify Software Inc.
  • IBM Global Services
  • Microsoft Corp. (Nasdaq: MSFT)
  • Oracle Corp. (Nasdaq: ORCL)
  • Ounce Labs
  • SPI Dynamics
  • Secure Software Inc.
  • Symantec Corp. (Nasdaq: SYMC)
  • Watchfire Corp.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    5 Security Technologies to Watch in 2017
    Emerging tools and services promise to make a difference this year. Are they on your company's list?
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    Published: 2015-10-15
    The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

    Published: 2015-10-15
    netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

    Published: 2015-10-15
    Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

    Published: 2015-10-15
    Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

    Published: 2015-10-15
    Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.